Cambium cnPilot - Freeradius Configuration

Edited

 Description:

Customers wishing to utilise radius authentication, but do not currently have a radius server, may wish to use freeRADIUS. freeRADIUS (http://freeradius.org/) is one of the most popular and widely deployed RADIUS servers. It is open source, feature rich, stable, and can be used with cnPilot access points for a variety of authentication and accounting needs. freeRADIUS sources and binaries for a number of platforms can be downloaded from:

http://freeradius.org/download.html

In addition, binaries for Windows (this is an older version with some differences in configuration file syntax and features, but functional for Username/Password as well as 802.1X authentication) can be downloaded from:

http://freeradius.net/Downloads.html

How to fix:

The first step is to setup a shared secret that will be used to authenticate packets between the RADIUS clients (cnPilot access points) and the RADIUS server. On the freeRADIUS install, this will be in the etc/raddb/clients.conf file in the location where freeRADIUS is installed. Entries can be added for each AP though its simpler to add it for the whole subnet, like the example below:

client wifi-APs {
    ipaddr      = 192.168.0.0/16
    secret      = testing123
}

The same shared secret must be configured on the access point as well when adding the IP address of the RADIUS server; this can be found at Configuration -> WLAN:

cnPilot APs can authenticate users on the RADIUS server for multiple security topologies, including MAC authentication, guest-access with username/password, as well as various EAP types for WPA2-Enterprise (802.1x).

No user entries are needed on the AP itself, all the configuration goes in the etc/raddb/users file on freeradius. The following are examples of a MAC authentication as well as guest-access/EAP (username and password):

 

001a2b89de2d Cleartext-Password := "001a2b89de2d"

myusername Cleartext-Password := "SecretPassword"

The users file is also where specific per-user parameters (for rate limit or vlan assignment) can be defined. For instance to make the user john use VLAN 10 (dynamic vlan assignment through RADIUS) that users entry would be as follows:

 

john Cleartext-Password := "sm!th"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = 10

802.1x/EAP configuration:

freeRADIUS automatically enables support for common EAP types and includes a server certificate to get things started.

Customisation of EAP settings can be done in etc/raddb/eap.conf or etc/raddb/policy.d/eap depending on the version of the server and raddb/certs/README has details on setting up your own certificates.

 Troubleshooting:

 The freeRADIUS log files contain detailed information on what is going on and will be helpful in debugging any failures. logs go to the logdirdirectory as set in etc/raddb/radiusd.conf. The server can also be run in full debug mode in the foreground:

./sbin/radiusd -X

On the AP side logs can be viewed under troubleshooting, with Events containing high level logs (whether connection has failed or succeeded) and Debug Logs containing additional debugging information.

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.